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ABSTRACT 



A method and apparatus for an advanced byte -oriented 
symmetric key cipher for encryption and decryption, using 
a block cipher algorithm. Different block sizes and key sizes 
are supported, and a different sub-key is used in each round. 
Encryption is computed using a variable number of rounds 
of mixing, permutation, and key-dependent substitution. 
Decryption uses a variable number of rounds of key- 
dependent inverse substitution, inverse permutation, and 
inverse mixing. The variable length sub-keys are data- 
independent, and can be precomputed. 

27 Claims, 10 Drawing Sheets 
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FIG. 6 
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METHOD AND APPARATUS FOR 
ADVANCED BYTE-ORIENTED SYMMETRIC 
KEY BLOCK CIPHER WITH VARIABLE 
LENGTH KEY AND BLOCK 

RELATED INVENTIONS 

IBM application serial number 09/018,707 entitled 
"Method and Apparatus for Advanced Symmetric Key 
Block Cipher with Variable Length Key and Block" filed 
Feb. 4, 1998. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to cryptography, and deals 
more particularly with a symmetric key cipher for encryp- 
tion and decryption, using a block cipher algorithm. This 
algorithm allows the block size, key size, and number of 
rounds of ciphering to vary. 

2. Description of the Related Art 

Cryptography is a security mechanism for protecting 
information from unintended disclosure by transforming the 
information into a form that is unreadable to humans, and 
unreadable to machines that are not specially adapted to 
reversing the transformation back to the original information 
content. The cryptographic transformation can be performed 
on data that is to be transmitted electronically, such as an 
electronic mail message, and is equally useful for data that 
is to be securely stored, such as the account records for 
customers of a bank or credit company. 

In addition to preventing unintended disclosure, cryptog- 
raphy also provides a mechanism for preventing unautho- 
rized alteration of data transmitted or stored in electronic 
form. After the data has been transformed cryptographically, 
an unauthorized person is unlikely to be able to determine 
how to alter the data, because the specific data portion of 
interest cannot be recognized. Even if the unauthorized user 
knew the position of the data portion within a data file or 
message, this position may have been changed by the 
transformation, preventing the unauthorized person from 
merely substituting data in place. If an alteration to the 
transformed data is made by the unauthorized user despite 
the foregoing difficulties, the fact of the alteration will be 
readily detectable, so that the data will be considered 
untrustworthy and not relied upon. This detection occurs 
when the transformation is reversed: the encrypted data will 
not reverse to its original contents properly if it has been 
altered. The same principle prevents unauthorized addition 
of characters to the data, and deletion of characters from the 
data, once it has been transformed. 

The transformation process performed on the original data 
is referred to as "encryption". The process of reversing the 
transformation, to restore the original data, is referred to as 
"decryption". The terms "encipher" and "decipher*' are also 
used to describe these processes, respectively. A mechanism 
that can both encipher and decipher is referred to as a 
"cipher". 

Mathematical algorithms are used to describe the func- 
tioning of ciphers. The goal of a cipher is to be computa- 
tionally infeasible to "break"' — that is, it must be nearly 
impossible to "guess" or derive the original data content 
from any series of computations that can be performed on 
the transformed data, absent knowledge of how the encryp- 
tion was accomplished. Use of a "key" during the encryption 
and decryption processes helps make the cipher more dif- 
ficult to break. A key is a randomly-generated number 
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factored into operation of the encryption to make the result 
dependent on the key. The value used for the key in effect 
"personalizes" the algorithm, so that the same algorithm 
used on the same input data produces a different output for 

5 each different key value. When the value of this key is 
unknown to the unauthorized persons, they will not be able 
to duplicate or to reverse the encryption. Provided that the 
key is kept secret, the algorithm that performs the ciphering 
can be made public. The key will be known to the parties 

Q intended to encrypt and decrypt the data: they can use the 
key to "lock" and "unlock" the data contents, whereas 
unauthorized persons cannot. When the same key is used for 
encrypting and for decrypting, the key is referred to as being 
"symmetric". 

15 A cipher to be used in a computer system can be imple- 
mented in hardware, in software, or in a combination of 
hardware and software. Hardware chips are available that 
implement various ciphers. Software algorithms are known 
in the art as well. 

20 A commonly used cipher is known as the Data Encryption 
Algorithm ("DEA"). This algorithm was developed by sci- 
entists of the International Business Machines Corporation 
("IBM"), and formed the basis of a United States federal 
standard known as the Data Encryption Standard ("DES"), 

25 which was adopted in 1977. DES has been in use since that 
time. A variant of the DES algorithm, known as "Triple 
DES", was developed to increase the strength of the result 
over that available with DES. Triple DES uses three rounds 
of ciphering, with different keys for each of the rounds. 

30 After twenty years, many believe that a new stronger, 
more flexible algorithm is needed. One way to make a cipher 
stronger is to increase the number of rounds of ciphering 
performed: with each successive transformation, the result- 
ing encryption becomes more difficult to break. Another way 

35 to increase the strength is to increase the size of the key. 
Since the contents of the key remain secret, increasing the 
size adds another level of difficulty for anyone trying to 
deduce what transformations may have been performed on 
the original data, because they are unlikely to guess the 

40 random number combination making up the key. Yet another 
way to increase algorithm strength is to increase the size of 
the "block" on which the cipher performs its transforma- 
tions. A block is the unit of original data processed during 
one ciphering operation. The larger the block size, the more 

45 difficult it becomes for an adversary to construct a dictionary 
of plaintext and matching ciphertext, for a given key, large 
enough to pose a threat to the security of the algorithm. 
Further, different keys can be used for each round, increas- 
ing the number of random number combinations that would 

50 have to be correctly guessed in order to break the cipher. 
These keys are referred to herein as "sub-keys". 

It will be appreciated that when a cipher allows varying 
the number of rounds, the key size, the key values, and the 
block size at the same time, an incredibly difficult challenge 

55 is presented to a person attempting to discover the original 
data contents from an encrypted result. It will also be 
appreciated that the computations involved to cipher the data 
are quite complex, and that while performing more rounds 
of ciphering increases the strength of the result, it also 

60 causes computation time to increase. When data is very 
sensitive, this time spent in ciphering will be warranted. It 
may be, however, that less sensitive data does not warrant 
the added time and expense of many rounds of ciphering. By 
providing an algorithm where the number of rounds, the key 

65 size and values, and the block size are variable, the ultimate 
choice between the level of security required and the amount 
of computation time utilized rests with the user. By allowing 
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the number of rounds, key size, and block size to vary, the culty of breaking encrypted data from a given source. The 

cipher of the present invention becomes, in effect, scalable variation capability makes the cipher scalable in three 

in three dimensions. dimensions, providing the user with flexibility to tune the 

The existing DES and Triple DES algorithms use the algorithm to achieve the proper trade-off between execution 
secret key approach described above, but do not provide for 5 time required and security achieved, in order to meet the 

variation in the key size, the block size, or the number of needs of his particular application. 

rounds of ciphering. As stated earlier, it is desired to have a Yet another object of the present invention is to provide a 

more flexible, scalable algorithmic solution, that increases technique whereby particular values for the variable infor- 

the strength of the result. mation used by the algorithm — i.e., key length, block length, 
Accordingly, a need exists for an improved and more 10 a nd number of rounds — are factored into the software or 

flexible cryptographic algorithm. More particularly, a need hardware implementation, as fixed values, in order to opti- 

exists for a method and apparatus for an improved crypto- m i ze performance. 

graphic algorithm that is block-oriented and uses a secret Other objects and advantages of the present invention will 

key. The cipher should use a variable length key, a variable be set forth in part in the description and in the drawings 

length block, and a variable number of rounds. The cipher 15 which follow and, in part, will be obvious from the descrip- 

should provide for use of a different key during each round, tion or may be learned by practice of the invention. 

and the key should be symmetric. The technique of the To acn i e ve the foregoing objects, and in accordance with 

present invention achieves these objectives while using the the purpose of the invention as broadly described herein, the 

simple operations of table lookup, exclusive OR, and key- present invention provides a technique, system, and method 

dependent substitution, thereby minimizing the time f or implementing a byte-oriented symmetric key block 

required to encrypt and decrypt data. The data-independent cipher supporting a variable length input key, a variable 

sub-keys can be precomputed, further minimizing the time i engtn block> and a variable number of rounds, comprising 

required for encryption and decryption. A minimal amount a subprocess for accessing and retrieving values in substi- 

of computer storage is required for data used in the operation tution boxes (s-boxes); a subprocess for generating sub-keys 

of the algorithm. using this input key and these s-boxes; a subprocess for 

cnM w ADV ^ TmreMnnM encrypting input data bytes (where these bytes are part of a 

SUMMARY OF THE INVENTION bk)C ^ and ^ b[ock fs part of an mput data fflc) u&ing the 

An object of the present invention is to provide a tech- generated sub-keys and the s-boxes, producing encrypted 
nique whereby data can be encrypted in such a manner as to 30 data bvt es (which are part of a corresponding encrypted 

make discovery of the underlying data contents, other than block, which is part of an encrypted data file); and a 

by use of the corresponding decryption technique, compu- subprocess for decrypting the encrypted data bytes using the 

tationally infeasible. sub-keys and s-boxes, resulting in restoration of the input 

Another object of the present invention is to provide a ^ ala b vles * 
technique whereby encryption is accomplished with a 35 The present invention will now be described with refer- 

strength better than that of existing DES and Triple DES ence to the following drawings, in which like reference 

solutions, with significantly improved efficiency. numbers denote the same element throughout. 

Another object of the present invention is to provide a DDICC nccPDTT fc ,„ KT TO „ ~„ A „, TKTr . 0 

i + . 4 • -c * * * * BRIEF DESCRILMON OF THE DRAWINGS 
solution that does not use a significant amount of computer 

storage, in order to maximize the number of environments in 40 FIG. 1 is a block diagram of a computer workstation 

which the solution can be used, including limited-storage environment in which the present invention may be prac- 

devices such as those known as "Smart Cards". ticed; 

Another object of the present invention is to provide a FIG. 2 is a diagram of a networked computing environ - 

technique whereby decryption of the encrypted data restores me nt in which the present invention may be practiced; 

the data to its original contents, in an efficient and error-free FIGS< 3A _ 3B iUustrate a flow charl which ^ forth the 



manner. 



logic used by the present invention to encrypt a block of 

Another object of the present invention is to provide a data; 

solution that can be implemented in hardware or in software. F | GS 4A ^ B iUustratc a flow chart which ^ forth ^ 

Another object of the present invention is to provide a 50 i og i c ^cd by the present invention to decrypt a block of 

solution that allows precomputing the sub-keys to be used d a t a - 

for each round of ciphering in order to minimize the time n ' GS 5A _ B3 a flow chart which ^ ^ 

reared for encrypting or decrypting an individual file or lQgic used „ y ^ present inven(ion tQ ^ sub ^ fmm 

message. ^ ... a key for each round of the cipher; 

Still another object of the present invention is to provide 55 DTP ✓ , 1 c u *•* *■ l , l . 

. , . 1 • ,1 . • , c j , JJ FIG. 6 shows an example of substitution boxes that may 

a technique whereby the cipher used for encryption and . , ... 4 . .... 7 

1 . • • 11 1 • * j * • 1 j De used Wltn tne present invention; and 

decryption is block-oriented, uses a symmetric key, and uses r 

different sub-keys during each round of ciphering. FIG * 7 shows a sma11 substitution box and its inverse 

A further object of the present invention is to provide a su J s j itution box > to illustrate the principle of inverting a 

technique whereby the cipher uses a variable number of so SU S 1 U lon ox ' 

rounds of F^»wng during encryption and decryption, » DESCRIPTION OF THE PREFERRED 

variable length block of data as the unit to be encrypted and EMBODIMENT 
decrypted, and a variable length key. Allowing these factors 

to vary will provide the user with choices that will not only FIG. 1 illustrates a representative workstation hardware 

affect execution time and strength of security for any given 65 environment in which the present invention may be prac- 

use of the cipher, but will also allow variation between ticed. The environment of FIG. 1 comprises a representative 

subsequent uses of the cipher, further increasing the diffi- single user computer workstation 10, such as a personal 
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computer, including related peripheral devices. The work- which is represented by the permanent storage 30 of the 
station 10 includes a microprocessor 12 and a bus 14 workstation 10. In a client-server environment, such soft- 
employed to connect and enable communication between ware programming code may be stored with storage asso- 
the microprocessor 12 and the components of the worksta- ciated with a server. The software programming code may 
lion 10 in accordance with known techniques. The work- 5 be embodied on any of a variety of known media for use 
station 10 typically includes a user interface adapter 1, with a data processing system, such as a diskette, hard drive, 
which connects the microprocessor 12 via the bus 14 to one or CD-ROM. The code may be distributed on such media, or 
or more interface devices, such as a keyboard 18, mouse 20, may be distributed to users from the memory or storage of 
and/or other interface devices 22, which can be any user one computer system over a network of some type to other 
interface device, such as a touch sensitive screen, digitized 10 computer systems for use by users of such other systems, 
entry pad, etc. The bus 14 also connects a display device 24, Alternatively, the programming code may be embodied in 
such as an LCD screen or monitor, to the microprocessor 12 the memory 28, and accessed by the microprocessor 12 
via a display adaptor 26. The bus 14 also connects the using the bus 14. The techniques and methods for embody- 
microprocessor 12 to memory 28 and long term storage 30 ing software programming code in memory, on physical 
which can include a hard drive, diskette drive, tape drive, 15 media, and/or distributing software code via networks are 
etc. well known and will not be further discussed herein. 

The workstation 10 may communicate via a communica- The encrypted data resulting from use of the present 

tions channel 32 with other computers or networks of invention may be stored in the storage 30, or may be sent 

computers. The workstation 10 may be associated with such from the workstation 10 to another computer or workstation 

other computers in a local area network (LAN) or a wide 20 of the network illustrated in FIG. 2 over the communications 

area network, the workstation 10 can be a client in a channel 32, for storage by that other computer or worksta- 

client/server arrangement with another computer, or the tion. 

workstation 10 may operate as a stand-alone unit without In a hardware solution, the present invention may be 
communication to other workstations, etc. All of these embodied in the processor 12 of the workstation 10. Tech- 
configurations, as well as the appropriate communications 25 niqucs for implementing logic f unctio[ls in processors are 
hardware and software, are known in the art. we r] known in the art 

FIG. 2 illustrates a data processing network 40 in which Preferred embodiments of the present invention will now 

the present invention may be practiced. The data processing be discussed with reference to FIGS. 3 through 7 and Table 

network 40 includes a plurality of individual networks, i 

including LANs 42 and 44, each of which includes a 30 ' In the preferred embodiments> the present invention is 

plurality of individual workstations 10. Alternatively, as im pie mente d as a computer software program. This software 

those ski led m the art will appreciate, a LAN may comprise performs the derivation of sub _ k from an { t k for 

a plurality of intelligent workstations coupled to a host each round of the cipher, the encrypting of the data contents, 

processor. ^ and the decr yp Ung 0 f tne data contents. The data may 

Still referring to FIG. 2, the data processing network 40 represent a message to be communicated over a network, 

may also include multiple mainframe computers, such as a The message may represent any of a number of types of 

mainframe computer 46, which may be preferably coupled information, such as conversational text sent as electronic 

to the LAN 44 by means of a communications link 48. The ma ii j or a purchase request containing the buyer's credit card 

mainframe computer 46 may be implemented utilizing an ^ 0 r account data. Alternatively, the data may be a conven- 

Enterprise Systems Architecture/370, or an Enterprise Sys- tional data file. Examples of this type of data include patient 

terns Architecture/390 computer available from IBM. medical history, customer credit history, income tax and 

Depending on the application, a midrange computer, such as earnings data, and any conceivable stored information that 

an Application System/400 (also known as an AS/400) may nee ds to be protected from unintended disclosure. This type 

be employed. "Enterprise Systems Architecture/370" is a 4S 0 f data may be encrypted for transmission over a network, 

trademark of IBM; "Enterprise Systems Architecture/390", 0 r it may be encrypted merely for secure storage. For ease 

"Application System/400", and "AS/400" are registered 0 f reference, the input data file or message will be referred 

trademarks of IBM. t0 herein as ^ « input m ^» m 

The mainframe computer 46 may also be coupled to a The present invention encrypts and subsequently decrypts 

storage device 50, which may serve as remote storage for the 50 the data using a blockoriented cipher. The purpose of using 

LAN 44, Similarly, the LAN 44 may be coupled to a a block-oriented cipher is to avoid having to synchronize the 

communications link 52 through a subsystem control unit/ encryption and decryption processes. Stream ciphers (unlike 

communication controller 54 and a communications link 56 block ciphers) require that the encryptor and decryptor be 

to a gateway server 58. The gateway server 58 is preferably synchronized. The block-oriented cipher uses a symmetric 

an individual computer or intelligent workstation which 5S key— that is, it uses the same key for encryption and for 

serves to link the LAN 42 to the LAN 44. decryption. Thus, the key must be kept secret. This enables 

Those skilled in the art will appreciate that the mainframe the algorithm to be publicly known and publicly available, 

computer 46 may be located a great geographic distance while still protecting the data that has been enciphered. The 

from the LAN 44, and similarly, the LAN 44 may be located cipher operates in a mode in which the algorithm uses the 

a substantial distance from the LAN 42. For example, the 6 o key and the result of its own earlier iterations to randomize 

LAN 42 may be located in California, while the LAN 44 the transformation of data. The concepts of block-oriented 

may be located in Texas, and the mainframe computer 46 ciphers and symmetric keys are well known in the art. 

may be located in New York. The present invention also provides a technique for using 

In a software solution, programming code which embod- variable block sizes, variable key sizes, and a variable 

ies the present invention is typically accessed by the micro- 65 number of rounds of cipher processing. The purpose of 

processor 12 of the workstation 10 from long term storage allowing these variables is to give the user of the cipher the 

media of some type, such as a CD-ROM drive or hard drive, flexibility to choose trade-offs between the increased com- 
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puting time required (for example, as the number of pro- from zero through (||C||-1). Alternatively, the counter could 

cessing rounds increases) and the strength of the resulting begin at one, with the data bytes numbered from one through 

encryption. ||C||. Techniques for numbering bytes of data, and counting 

Optionally, the present invention allows the software or and referring to those bytes, are well known in the art, as is 

hardware implementation of the cipher algorithm to be 5 tnc fact that zero-based versus one-based numbering has no 

optimized for particular values of the variables. This is done effect on the outcome of the corresponding algorithm, 

by allowing a user of the cipher to enter values for block Step 130 tests to see if the byte counter points to a byte 

size, key size, and/or number of rounds before the final step in the left half of the data block, or in the right half. The 

of producing the cipher implementation. The final imple- present invention performs different mixing transformations 

mentation then treats the values as being fixed, and is 10 during the mixing step for the bytes in the left half than it 

optimized for those fixed values. does for the bytes in the right half. If the byte counter points 

The present invention accomplishes encryption of data to the left halfof the data block, processing continues at Step 

using the steps of mixing, permutation, and key-dependent I 40 t0 perform the left-half mixing steps. If the byte counter 

substitution for particular, defined groups of bytes of the P oinls t0 tne n&t half of the data block, processing contin- 

block of data. A similar approach, with corresponding steps, 15 ues at Ste P 160 t0 perform the right-half mixing steps, 

is used for generating the sub-keys from the key for each The processing performed at Step 140 (the left-half 

round of the cipher. Decryption of data is accomplished in mixing) is defined by the following mathematical equation: 
the present invention using the inverse of the data 

encryption, where the steps are key-dependent inverse newQ = si"^ mr 
substitution, inverse permutation, and inverse mixing. The 

terms "key-dependent inverse substitution", "inverse whm 0si*(||C|/2)-i 
permutation", and "inverse mixing" mean that the process- 

ing performed I in each of these decryption steps is the inverse I( wi]1 be undeR5tood b one skUled in the referri t0 

of the processing performed in the corresponding encryption Tab , e 1 for a lanatio ' n of mbo]s ^ the equation 6 for 

step. By performing inverse processing, in mverse order, the lef[ . half mixj forms , WQ exc , usjve QR 4 rati t0 

encrypted data is restored to Us original content. determine an index to be used in retrieving a value from a 

ENCRYPTION substitution box. (For ease of reference, the substitution 

boxes will be referred to herein as "s-boxes", a term known 

FIRST ALTERNATIVE EMBODIMENT 30 by those skilled in the art.) The operands of the first 

. „ t . „ exclusive OR operation are the byte of C pointed to by the 

FIG. 3 illustrates the logical steps performed when a first current byte counter (the fa fc numbered and a mmm 

alternative embodiment of the present invention is executed spondirig byte hom the right half of c (that is, the with byte 

to encrypt a block of data. The process shown in this figure of the dght half) ^ operatlds of me second excmsivc 0 R 

is repeated for each block of data in the input file. ^ are tfae result fmm the ^ and thc wim byte of the right haJf 

Note that the process of FIG. 3 does not show the user if the right half had been rotated one byte to the right. For 

entering particular values to be used for the variables (block example, if C is 8 bytes long, then the bytes of the left half 

size, key size, and number of rounds) defined for the cipher are numbered 0, 1, 2, and 3; the bytes of the right half are 

of the present invention, nor the value to be used for the key numbered 4, 5, 6, and 7. The first exclusive OR, when i=0 ( 

The user will have been prompted to enter these values as ^ uses bytes 0 and 4. Rotating the right half one byte to the 

configuration parameters of the cipher implementation. Or, right would effectively change the right half from 4, 5, 6, 7 

if an optimized implementation of the cipher is being used, into 7, 4, 5, 6. Thus, the second exclusive OR would use, for 

the user will have been prompted to enter values for block its second operand, byte 7. When i=2, the first operation 

size, key size, and/or number of rounds before the final step WO uld use bytes 2 and 6, and the second would use this result 

of producing the implementation has completed. Techniques 45 along with byte 5. The concept of rotating a group of bytes 

for entering values required by an implementation are well is well known in the art. Once the exclusive ORs have been 

known in the art. performed, the result is used to index into one of the s-boxes. 

The first Step 100 is to initialize the iteration counter, 'V*, Indexing techniques are well known in the art, and will not 
to keep track of how many rounds of cipher processing have be described further herein. The exclusive OR operation is 
been performed. At Step 110, a comparison is made between so also well known in the art, and will not be described further, 
the iteration counter and the number of rounds of processing The preferred embodiments of the present invention con- 
required. While the iteration counter is less than the number template use of two s-boxes. FIG. 6 shows two s-boxes that 
of rounds, the processing will continue on to Step 120. may be used with the present invention. The particular 
However, if the two values compared are equal, then encryp- values shown in the s-boxes are provided merely as 
tion of the block has completed. It will be understood by one 55 examples. The values can be rearranged with no effect on the 
skilled in the art that the encryption process for each block functionality of the present invention. Different arrange - 
of data forming the input file is identical, and that the process ments may impact the resulting strength of the cipher, 
of FIG. 3 is used on each successive block until all blocks however. The values shown were arrived at by randomly 
of the input file have been encrypted. generating s-boxes, and then analyzing them for low differ- 

At Step 120, a byte counter ("i") is initialized. This 60 ential and linear characteristics. This type of analysis is well 

counter is used to step through each byte of the block of data, known to those skilled in the art. Generating alternative 

performing appropriate transformations on that byte as s-boxes beyond those shown in FIG. 6 does not form a part 

defined by the current invention. In the preferred of the present invention, and thus will not be further 

embodiments, the byte counter begins at zero, and the described. 

variable number of bytes (referred to herein as ||C||, meaning 65 Each of the two s-boxes shown in FIG. 6 is a one- 

"length of C" and shown in the figures as "(len C)", where dimensional array of non-repeating values between 0 and 

C represents the block of data) of the block are numbered 255, indexed from 0 to 255. (The s-boxes each have 256 
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entries, so that indexing can be performed with an 8-bit numbered 4 (the first byte of the right half of Q is the current 

number, where 8 bits is the length of the value resulting from byte. When the byte counter is 2, the expression "i+HCll/2" 

the two exclusive OR operations. Note that the values are evaluates to (2+4), and the byte numbered 6 (the third byte 

shown in FIG. 6 using their decimal representation.) Refer- of the right half) is the current byte. The second operand for 

ring again to the left-half mixing equation, it will be seen 5 the first exclusive OR is one of the newly-mixed bytes from 

that when the byte counter i is an even number, s-box zero the left half. The particular byte to use is located by 

is used; when i is an odd number, s-box one is used. For effectively rotating the left half bytes by one byte to the 

example, when i=2, then (i mod 2)=(2 mod 2), which right, then using the byte from this rotated left half that 

evaluates to 0 and selects s-box zero; when i=5, then (i mod corresponds to the current byte from the right. (By "effec- 

2)=(5 mod 2), which evaluates to 1 and selects s-box one. 10 lively rotating" it is meant that the bytes are treated as if they 

The value retrieved from the s-box is substituted for the with have been rotated. They are not actually moved from their 

byte of original data from the current block, resulting in a current position.) For example, if the byte counter is 0, then 

mixed byte. the current byte from the right half is the first byte, numbered 

It will be understood by one skilled in the art that the 4 * ^ corresponding byte from the rotated left half will be 

number ofs-boxes can be increased, or decreased, from two. 15 the first byte, which was the byte numbered 3 before the 

This would be used to further increase the strength, or the rotation. 

efficiency, of the cipher. Increasing the number of s-boxes The operands of the second exclusive OR are the result 

would allow different boxes to be used at different points of from the first, and a different one of the newly-mixed bytes 

ciphering (for example, one set of boxes for mixing and a from the left half. The particular byte to be used as the 

different set for key-dependent substitution) or for different 20 second operand is located by effectively rotating the left half 

portions of the input block (for example, one set of boxes for by two bytes to the left, then using the byte from this rotated 

mixing the left half, and a different set for mixing the right left half that corresponds to the current byte from the right, 

half). Decreasing the number of boxes requires increasing For example, if ||C||=8, the rotated left half will contain bytes 

the size of the elements within the boxes. The functionality which were numbered 2, 3, 0, 1. When the byte counter is 

provided by 2 boxes having 256 entries, each 1 byte long, 25 0, then the corresponding byte from the rotated left half will 

and accessed using a 1-byte index, can be achieved by be the byte that was numbered 2 before the rotation, 

alternatively providing 1 box with 65,536 entries, each 2 The expression "i+||/2 mod 2" is used to determine which 

bytes long. This would decrease the number of accesses to s-box to use in order to retrieve the new value to be used for 

the s-box by Vi — in effect, grouping the retrievals by using newC iV | |C| |^, If both operands i and ||C||/2 are even or odd, 

an index 2 bytes long instead of 1 byte long. Further 30 their sum will be even, so that s-box 0 will be used. If one 

efficiencies can be achieved by making the entries longer operand is even and the other is odd, their sum will be odd, 

than 2 bytes. For example, when the entries are 4 bytes long, so that s-box 1 will be used. For example, if i=0 and ||C||=8, 

the index values are 4 bytes long, so that the number of then (i+||C||/2 mod2)=((0+4) mod 2)=(4 mod 2)=0; if i=3 and 

accesses is reduced by l A from the number required when ||C||+8, then (i+||C||/2 mod 2)=((3+4) mod 2)=(7 mod 2)=1. 

using 1-byte entries. These alternative s-boxes having multi- 35 Control transfers to Step 180 after the right-half mixing 

byte entries and multi-byte indices may be formed from the operation has been performed on the current byte. At Step 

s-boxes in FIG. 6, for example by combining each entry of 180, the byte counter i is incremented. Step 190 tests to 

one s-box with each entry of the other s-box, where the entry determine, based on the byte counter, whether all the bytes 

from the first s-box becomes the first byte of a two-byte of the right half have now undergone the mixing operation, 

entry, and the entry from the second s-box becomes the 40 if the test at Step 190 has a positive answer, then there are 

second byte. still more bytes to process, and control transfers back to Step 

Step 150 increments the byte counter i. Control then 170. If the test at Step 190 has a negative answer, then all 

transfers back to Step 130. bytes of the block have been mixed, and control transfers to 

At Step 160, the byte counter i is reset to 0, in order to Step 200. 

perform the right-half mixing steps. 45 At Step 200, the permutation operation is performed. This 

The processing performed at Step 170 (the right-half operation is represented by the following mathematical 

mixing) is defined by the following mathematical equation: equation: 

c i* — *Qhicii/2 where 0§/<(j|q^)-i 

hicii/2 - °c umn <^wc i . l ^ cm ®r^c UM]]Cm 50 ]t will be understood by one skilled in the art, referring to 

where Os/s (HC1I/2) - 1 Table 1 for an explanation of symbols, that this permutation 

operation consists of swapping each byte of the left half of 
the block of data with the corresponding byte of the right 

It will be understood by one skilled in the art that the half of the block. Note that it is the mixed bytes that are 

equation for right-half mixing retrieves a value from an ss being swapped: the original data bytes are never re -used 

s-box, in the same manner used for left-half mixing. The once the byte has been mixed. 

only differences are where the operands come from that are Following the permutation operation, Step 210 

used in the exclusive OR operations, and how the s-box to re -initializes the byte counter i for use in the final operation, 

use is determined. The first exclusive OR still uses the the key-dependent substitution. Step 220 compares the value 

current byte of C, but since the byte counter i has been reset eo of the byte counter to see whether all the bytes have been 

to zero for pointing to each byte of the right half, a substituted. If the test at Step 220 has a positive answer, then 

displacement value must first be added to it to determine the there are still more bytes to process, and control transfers to 

byte index into C. The displacement value is half the length Step 230. If the test at Step 220 has a negative answer, then 

of C, expressed as "||C||/2" — that is, a value that allows all bytes of the block have been substituted, and control 

skipping over the left half bytes. For example, when ||C||=8, 65 transfers to Step 250. 

the displacement value is 4. If the byte counter is 0, then the Step 230 performs a key-dependent substitution operation 

expression "i+||C||/2" evaluates to (0+4), so that the byte on the current byte of data in the block. The substitution 
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operation is represented by the following mathematical First, an exclusive OR operation is performed, where the 

equation: first operand is the original contents of the left half and the 

second operand is the original contents of the right half. 

newQ =s <i Ky S2} where 0 s i s Next, the original contents of the right half are effectively 

*' ® c ' 5 rotated 8 bits to the right. Finally, a second exclusive OR 

operation is performed, where the first operand is the result 

It will be understood by one skilled in the art, with of thc first exclusive OR, and the second operand is the 

reference to Table 1 for an explanation of symbols, that this rotated ri S ht half ■ M an example, if the block is 8 bytes long, 

substitution operation uses a byte of a sub-key, and exclusive 10 the b y ^ of the left nalf are numbered 0, 1, 2, 3 and the bytes 

ORs that byte with one of the data bytes of the permuted of the ri g ht nalf are numbered 4, 5, 6, 7. The first operation 

block. The present invention uses a different sub-key for uses b y tes °> 2 > and 3 as a group for the first operand, and 

each round of ciphering, where the sub-key number is b y tes 4 > 5 > 6 > and 7 as a S rou P for the second operand. The 

identical to the iteration counter ("r") used for counting the rotation of the right half rearranges the bytes to 7, 4, 5, 6, 

rounds of ciphering. (Computation of the sub-keys is is which * thcn the sccond °P erand of thc second exclusivc 

explained later herein, with reference to FIG, 5.) The byte OR. 

counter ("i") used in this substitution step determines which In the second equation, the bytes LC/ of this newly- 

byte of the current sub -key is used for the first operand of the created left half are used, one at a time, to index into the 

exclusive OR operation, and it also determines which byte s-boxes. (If the length of the entries in the s-boxes is 

of the permuted block is used for the second operand of the 20 increased to more than one byte, as discussed previously, 

operation. For example, when the byte counter is 0, the byte then the boxes are indexed with groups of bytes at one time, 

numbered 0 from the current sub-key is used, as is the byte instead of one byte at a time.) Each byte is used as the index 

numbered 0 from the block. The 8-bit value resulting from j n t 0 s-box zero or one, as explained before in describing the 

the exclusive OR operation is used as an index to retrieve a first alternative embodiment, depending on whether this is 

value from one of the s-boxes. When performing the sub- 25 an even . num bered or odd-numbered byte. The value located 

stitution step for an even-numbered byte of the data block, h the s . box ^ then ^ as thc ncw value fof the byte 

values are retrieved from s-box zero When performing the newLC in the newly-created left half. Thus, the substitution 

substitution step for an odd-numbered byte of the data block, e& a& u did ^ ^ mijd of ^ fifSt alternative 

values are retrieved from s-boa ;one. The retneved value is embodiment ^ KSuU of the left . half substitution fc 

then used as the new value of the current byte ("newQ ) of 30 ^ ^ 
the enciphered block. 

After substituting the current byte, Step 250 increments u ^he third of these equations explains how the new right 

the value of the byte counter. Control then transfers back to half RC of the blo< * 18 crea f d - Fou ^ e £\ a ^ lnvol ^ d - 

Step 220, to determine whether all bytes of the block have First, the contents of the newly-created left half are effec- 

been substituted 35 ^vely rotate(1 8 bits to the right. Second, an exclusive OR 

When control reaches Step 250, a new value has been °Pf ration * Panned where the first operand is the origi- 

substituted for each byte of the block, and the current round nal n }* 0 »S ht balf and * c scc ™ d f °^ rand 

of ciphering is complete. The iteration counter r is then rotated left half - Th ird > thc newly-created left half is effec- 

incremented, and control transfers back to Step 110, to tivel y rotated 16 bits to the left. Finally, a second exclusive 

determine whether the desired number of rounds, or pro- 40 OR operation is performed, where the first operand is the 

cessing iterations, are complete. result of th e first exclusive OR, and the second operand is the 

rotated left half. 

SECOND ALTERNATIVE EMBODIMENT In the fourth equation, the bytes RC/ of this newly-created 

45 right half are used, one at a time, to index into the s-boxes. 

In a second alternative embodiment, instead of perform- Each byte is used as the index into s-box zero or one, as 

ing the mixing operation on each byte separately, mixing can before, depending on whether this is an even-numbered or 

be done on groups of bytes (e.g., where the group is half the odd-numbered byte. The value located in the s-box is then 

size of the block). This will improve the operational effi- uscd ^ thc flew valuc for the b tc newRQ in thc newly . 

ciency of the algorithm because fewer individual operations 5o cfeated ^ half ^ rcsuJt of ^ ri ht . half substitution is 

are required. The following compact mathematical equa- c , . nr ^ 

,\ , 4 . u *■ l j • i referred to as newRL. 
tions define the operation of this alternative embodiment: 

An alternative embodiment may also be used for the 
permutation operation. This alternative embodiment oper- 
ates on groups of bytes which are, for example, half the 
length of the block, according to the following compact 



LC-LC®RC©(RC> >8) 55 



< fmfld21 n , mathematical algorithm: 

newLQ = where 0 s i i (|| Cll / 2) - 1 6 

LC* — ►RC 

RC-Rce(newLC»8)©(ne W LC«i6) 6 ° algorithm indicates that the bytes from the left half 

of the block are swapped with the bytes from the right half 
newFCj = s^ cmmaa) where 0 £ i s (||q]/2) - 1 °^ tne block in a single operation. Note that these bytes are 

' not the original bytes of the. input block, but are the bytes 

65 resulting from the mixing operation. 
The first of these four equations explains how the new left An alternative embodiment is also defined for the key- 
half LC of the block is created. Three steps are involved. dependent substitution operation to improve the operational 
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efficiency of the algorithm. The alternative embodiment is instead of one byte at a time.) Each byte is used as the index 

shown in the following compact mathematical equations: into s-box zero or one, as explained before in describing the 

first alternative embodiment, depending on whether this is 

c-K'^ec an even-numbered or odd-numbered byte. The value located 

5 in the s-box is then used as the new value for the byte 

newQ =^J wd2) where Oiis ||q|- l newRC, in the newly-created right half. The result of the 

right-half substitution is referred to as newRC. 
The third of these equations explains how the new left half 

In the first of these equations, new values for all the bytes LC of the block is created. Four steps are involved. First, the 

of the block C are recalculated in one exclusive OR opera- 1Q contents of the newly-created right half are effectively 

tion. The first operand is the current sub-key (that is, the rth rotated 8 bits to the right. Second, an exclusive OR operation 

sub -key, where this is round number r of encrypting the is performed, where the first operand is the original contents 

block). The second operand is the block, C, as it exists after of the right half and the second operand is this rotated right 

the preceding mixing and permutation steps have finished. half - Third, the newly-created right half is effectively rotated 

In the second equation, the bytes C/ of the newly-created J5 16 bits to the left. Finally, a second exclusive OR operation 

block are used, one at a time, to index into the s-boxes. Each is performed, where the first operand is the result of the first 

byte is used as the index into s-box zero or one, as before, exclusive OR, and the second operand is the rotated right 

depending on whether this is an even-numbered or odd- half. 

numbered byte. The value located in the s-box is then used In the fourth equation, the bytes LC- of this newly -created 

to replace the byte newC, in the block. Thus, the substitution 2Q left half are used, one at a time, to index into the s-boxes, 

operates as it did in the key-dependent substitution steps of Each byte is used as the index into s-box zero or one, as 

the first alternative embodiment. The result of the key- before, depending on whether this is an even- numbered or 

dependent substitution is an encrypted block. More rounds odd-numbered byte. The value located in the s-box is then 

of the mixing, permutation, and key-dependent substitution used as the new value for the byte newLC,. in the newly - 

operations may be performed, where the number of rounds ^ created left half. The result of the left-half substitution is 

of these operations is chosen by the user. referred to as newLC. 

While these equations have been defined using the bytes 

THIRD ALTERNATIVE EMBODIMENT of the left half of the block as one group, and the bytes of 

In yet another embodiment, the compact form of mixing ^ ri S ht half as another block > other g^P^s are possible 

(that is, mixing groups of bytes instead of mixing individual 30 wlthout deviatin S fram the mventive concepts of the present 

bytes) can be combined with the compact form of permu- invention. For example, the even-numbered bytes may be 

tation. This further reduces the number of operations treated as one group, and the odd-numbered bytes as another 

required. The following mathematical equations define this S rou P- °J> more thaD ^ S rou P s m ^ be used - For cample, 

embodiment: eac ^ na " °* tne ^ock could be further divided, treating the 

3S block as four groups of bytes. It will be obvious to one 

RC=LO©RC©(RC»8) skilled in the art that the groupings used in the decryption 

algorithms must correspond to those used in the encryption 

newRQ = where 0 s / s (\\C\\ /2) - 1 algorithms. 

DECRYPTION 
FIRST ALTERNATIVE EMBODIMENT 
Returning to the first alternative embodiment, FIG. 4 

newLC; = s m ? cvn " od2) where 0 £ t £ (\\c\\/2) - 1 illustrates use of the present invention to perform decryption 

^ of data which has previously been encrypted using the 

45 process of FIG. 3. It will be recognized by one skilled in the 

The first of these four equations explains how the new art lhat the decryption process performs inverse operations, 

right half RC of the block is created. Three steps are in inverse order, of the encryption process. Thus, the original 

involved. First, an exclusive OR operation is performed, content of the encrypted data file is restored by using the 

where the first operand is the original contents of the left half decryption process on each block of the file, 

and the second operand is the original contents of the right 50 In describing the decryption process, the block to be 

half. Next, the original contents of the right half are effec- decrypted is referred to as C. Note that this is not the same 

lively rotated 8 bits to the right. Finally, a second exclusive block C that was input to the encryption process: it is instead 

OR operation is performed, where the first operand is the tne output of the encryption process, 

result of the first exclusive OR, and the second operand is the The decryption process begins at Step 300 by initializing 

rotated right half. As an example, if the block is 8 bytes long, 55 the iteration counter r, to keep track of the number of rounds 

the bytes of the left half are numbered 0, 1, 2, 3 and the bytes of deciphering. At Step 310, the iteration counter is com- 

of the right half are numbered 4, 5, 6, 7. The first operation pared to see whether all the rounds have been completed, 

uses bytes 0, 1, 2, and 3 as a group for the first operand, and While the iteration counter is not less than zero, processing 

bytes 4, 5, 6, and 7 as a group for the second operand. The continues on to Step 320. If the iteration counter is -1, 

rotation of the right half rearranges the bytes to 7, 4, 5, 6, 60 however, then decryption of the block has completed. It will 

which is then the second operand of the second exclusive be understood by one skilled in the art that the decryption 

OR. process for each block of data forming the input file is 

In the second equation, the bytes RC/ of this newly- identical, and that the process of FIG. 4 is used on each 

created right half are used, one at a time, to index into the successive block until all blocks of the input file have been 

s-boxes. (If the length of the entries in the s-boxes is 65 decrypted. 

increased to more than one byte, as discussed previously, At Step 320, the byte counter i is initialized to 0. At Step 

then the boxes are indexed with groups of bytes at one time, 330, the byte counter is compared to see whether all the 
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bytes have been inversely substituted. If the test at Step 330 

has a positive answer, then there are still more bytes to njfwr . .^.y-iwcM^r,. „ A r„ , 

process, and control transfers to Step 340. If the test at Step 

330 has a negative answer, then all bytes of the block have wherc 0 * / * (II CJI / 2) - 1 

been inversely substituted, and control transfers to Step 360. 5 

The key-dependent inverse substitution operation per- This operation creates new values for each byte newC (+ 
formed at Step 340 is defined by the following mathematical \\ C \\n in the right half of the block, one at a time. An index is 
equation: used to point to the current byte of the right halt and is 

computed by adding the current byte counter, i, to a value 
ne»Ci = K$' } ®s£ imod2> where o * i <: \\c\\ 10 H c ll/2> which is a value sufficient to skip over the bytes of the 

left half. Two exclusive OR operations are performed to 
create the new value for each byte. In the first exclusive OR, 

This operation consists of performing a single exclusive * e °P erand * a value re ' rieved & om , an s " box - 

OR for each byte of the block, where the first operand is the ™ c ™ dex mt ° ,h6 s *? x * ' h ?^, Ue ° 1 

current byte of the current sub-key. The iteration counter V 15 ^ 6 <W from the nght half of the block. When both the 

•j 4U * u i <-pi i i . „.„ * * * byte counter 1 and the expression C \\/2 are either even or 

identifies the current sub-key. The byte counter l points to J . . it . H A n ^ , , . , . 

the current byte of this sub-key, as well as to the current byte odd ' thc e3 f cs ^?. ( ! +l|C|i ^ m ° d 2 rc f ' D ^ FT* 

of the block. The second operand is located by retrieving a s - box ^bered 0 being used, when only one of the byte 

value from the inverse of one of the s-boxes. The index into coun ' er ° r «P ress ™ ||C|i/2. is odd, the mverse s-box 

the inverse s-box is the current byte of the block, C,.. The 20 umbered 1 » used The second operand of this first 

expression "-<i mod 2>" determines which inverse s-box is ° R 13 a b 5" 6 ^ * e ' eft half of ,he blo< *- ^ 

to be used. When the byte counter is even, (i mod 2) will j^ 1 " by * 6 * rc P« scnt ^ d ^ th . e * X f f/ 5 ' 011 i 1 ', 1 ) mod 
, t t n t u u u j n • i i C \\/2 . This expression selects a left-half byte that corre- 

evalu ate to 0, so the inverse s-box numbered 0 is used: when 11 , ^ ... , . , /, , , 

, . , ■ . , . ^ .„ 1 , * 1 *u sponds to the current displacement into the nght halt plus a 

the byte counter is odd, (l mod 2) will evaluate to 1, so the t lL , . . & i . .... 

• _ /L ^ , v „ lim K a «Vi ,-o „r^ 25 further displacement by effectively rotating one byte to the 

inverse s-box numbered 1 is used. . . - , ftu ,; r \ , . / 

nght within the left half For example, when the byte counter 
An inverse s-box is created by inverting the relationship { m 0> thc first byte of ±c righl half ^ mc currcnt byte ]f thc 

between the indices and the entnes of the onginal s-box. block is 8 bytes in length> the first byte of the right half is 

FIG. 7 shows a small sample s-box, and its inverse, to the byle numbered 4 (u^g zero-based counting). The first 

illustrate this pnnciple. In this sample s-box, the values 30 byte from tne left wou ] d be used except f or the further 

chosen for the entries were randomly arranged, as are the displacement consisting of the right rotation of the left half, 

entries of the 256-entry substitution boxes of the invention. ^ bytes of the left half are numbe red 0, 1, 2, 3 before the 

In this sample s-box, index 1 retrieves the value 3, as shown rotation, and 3, 0, 1, 2 after the rotation. Thus, the first byte 

in FIG. 7. To invert this retneval operation, the inverse s-box of me rota ted group is the byte which was numbered 3 

must result in retrieval of the value 1 using the index 3. In 35 before me rota tion. If the byte counter i is 2 and ||C|| is 8, the 

other words, the value 1 is changed into the value 3, and then first operand ^ me by te numbered 6 (the third byte in the 

back into the value 1, by using this sample s-box during right half ) ) and the sec ond operand is the byte numbered 1 

encryption, and its inverse s-box during decryption. before the rotation (the third byte in the rotated left half). 

Step 350 increments the byte counter to point to the next The result of this first exclusive OR operation becomes 

byte of the current block. Control then transfers back to Step 40 the first operand of the second exclusive OR. The second 

330. operand is again a byte from the left half of the block. The 

After the key-dependent inverse substitution has been particular byte is indicated by the expression "(i+2) mod 

performed on each byte of C, control will transfer from Step llC||/2". This expression selects a left-half byte that corre- 

330 to Step 360. Step 360 is the inverse permutation sponds to the current displacement into the right half, plus 

operation, which is defined by the following mathematical 45 a further displacement by effectively rotating two bytes to 

equation: tne within the left half. For example, when the block 

length is 8, the rotated left half becomes 2, 3, 0, 1. If the byte 

c,« — -c lt | qi/ 2 where o^fl|C|l/2)-i counter i is 0, the expression ((i+2) mod ||C||/2) becomes 

((0+2) mod 4), which evaluates to 2, indicating that the byte 

The inverse permutation operation swaps each byte of the 50 numbered 2 before the rotation (the first byte in the rotated 

left half of the block with the corresponding byte of the right left half) is used; when the byte counter is 2, the expression 

half This operation is identical to the permutation used for becomes ((2+2) mod 4), which evaluates to 0, indicating that 

encryption, and has the effect of putting the bytes back into the byte numbered 0 before the rotation (the third byte in the 

the half from which they were swapped during encryption. rotated left half) is used. 

After the inverse permutation operation is complete, Step 55 When these two exclusive OR operations have been 

370 re-initializes the byte counter i to 0, for use with the performed, the resulting value becomes the new value for 

inverse mixing steps. Step 380 tests to see whether the byte the byte numbered (i+||C||/2), referred to as newQ + n Ql/2 , in 

counter points to a byte in the left half of the block, or a byte the right half of the block. 

in the right half. Processing for right-half bytes begins at The byte counter is incremented at Step 400. Control then 

Step 390, and processing for left-half bytes begins at Step 60 transfers back to Step 380, to determine if there are more 

410. bytes to be inversely mixed in the right half. 

In the encryption process, the left-half bytes were mixed In order to inversely mix the bytes of the left half, the byte 

first, followed by the right-half bytes. To invert this process, counter is reset to 0 at Step 410. Control then transfers to 

the order of mixing must also invert, so that the right half is Step 420, where the current byte from the left half is 

now processed first. The inverse mixing operation for right- 65 inversely mixed. The inverse mixing operation for left-half 

half bytes performed at Step 390 is defined by the following bytes performed at Step 420 is defined by the following 

mathematical equation: mathematical equation: 
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SECOND ALTERNATIVE EMBODIMENT 

newG ^S^onewCwcventrtc-MKm^Km A second alternative embodiment for decryption may be 

where o*/£ (|| c\\/2)- 1 used, where the steps are again inverse key-dependent 

5 substitution, inverse permutation, and inverse mixing. 
Groups of bytes are used in the operations, however, instead 

This operation creates new values for each byte newC, in 0 f one byte at a time. This second alternative embodiment 

the left half of the block, one at a time. The byte counter l corresponds to the second alternative embodiment for 

points to the current byte of the left half. Two exclusive OR encryption 

operations are performed to create the new value for each i " • . j. * . • 

byte. In the first exclusive OR, the first operand is a value io Jte alternative embodiment of the inverse key-dependent 

retrieved from an inverse s-box. The index into the inverse substitution is shown in the following compact mathemati- 

s-box is the current byte C, from the left half of the block. cal equations: 
When the byte counter is even, the expression "i mod 2" 

evaluates to 0, and the inverse s-box numbered 0 is used; C = &™° d2) 

when the byte counter is odd, the expression "i mod 2" 15 
evaluates to 1, and the inverse s-box numbered 1 is used. The 
second operand of this first exclusive OR is a byte from the 
newly-created right half of the block. The particular byte is 

represented by the expression "i+||C||/2'\ This expression In the first of these equationS) the bytes Q of the encrypted 

selects a right-half byte that corresponds to the current byte 20 block are ^d, one at a time> to index int0 the inverse 

counter, used as a displacement into the right half. For s _ DO xes. Each byte is used as the index into inverse s-box 

example, when the byte counter i is 0, the byte numbered 0 ^ xo or onej as befor6j depending on whether this is an 

from the left half (the first byte of the left half) is being even-numbered or odd-numbered byte. The value located in 

inversely mixed. If the block is 8 bytes in length, the the i nverse s _ 00 x is then used as the new value for the byte 

expression "i+||C||/2" becomes (0+4), so that the byte num- 25 0 f me block. 

bered 4 (which is the first byte of the right half) is used. If ' In the seC ond equation, new values for all the bytes of the 

the byte counter is 2, the byte numbered 2 from the left half block are recalculated in one exclusive OR operation, and 

(the third byte of the left half) is used. The expression stored as newC ^ firsl operand is the curren t sub-key, 

"i+n/2" becomes (2+4), so that the byte numbered 6 identified by the iteration counter r. The second operand is 

(which is the third byte of the right half) is used. 30 the block resulting from me first equat jon, referred to as C. 

The result of this first exclusive OR operation becomes ^ alternative embodiment for decryption is also defined 

the first operand of the second exclusive OR. The second for the inverse perrnut ation operation, which operates on 

operand is again a byte from the newly-created right half of groups of bytes which are> for example> half the lenglh of the 

the block. The particular byte is indicated by the expression block? acc0 rding to the following compact mathematical 

"((i-1) mod ||C||/2)+||C||/2". This expression selects a right- 35 a i gor ith m: 
half byte that corresponds to the current displacement into 

the left half, plus a further displacement by effectively lc« — »rc 
rotating one byte to the right within the right half. For 

example, when the byte counter i is 0, the first byte of the left This algorithm indicates that the bytes from the left half 

half is the current byte. If the block is 8 bytes in length, the 40 of the block are swapped with the bytes from the right half 

first byte of the left half is the byte numbered 0 (using of the block in a sin £ le operation. Note that these bytes are 

zero-based counting). The first byte from the right would be not the original bytes of the input encrypted block, but are 

used except for the further displacement consisting of the foe bytes resulting from the inverse key-dependent substi- 

right rotation of the right half. The bytes of the right half are mtion operation. 

numbered 4, 5, 6, 7 before the rotation, and 7, 4, 5, 6 after 45 An alternative embodiment of the inverse mixing can also 

the rotation. Thus, the first byte of the rotated group is the be performed, using groups of bytes instead of one byte at 

byte which was numbered 7 before the rotation. This can be a time - Each & m P of bytes may be half the length of the 

seen by evaluating the expression (((i-1) mod ||C||/2)+||C||/2), block > 80 that tbe left-half bytes are again treated separately 

which is (((0-1) mod 4)«4)-((7 mod 4)=(2+4)=7. If the byte from the right-half bytes. (Alternatively, different sized 

counter i is 2, the second operand is the byte numbered 5 50 groups of bytes, or bytes chosen according to some other 

before the rotation (the third byte in the rotated right half). strategy than left-half and right-half, may be used. For 

In this latter case, the expression (((i-1) mod ||C||/2)+||C||/2) example, the left and right halves could each be broken into 

is evaluated as (((2-1) mod 4)+4)=((l mod 4)+4)=(l+4)«5. two groups. The groupings used in the decryption algorithms 

When these two exclusive OR operations have been must correspond to those used in the encryption algorithms.) 

performed, the resulting value becomes the new value for 55 ^ mathematical equations representing the operations on 

the with byte of the left half of the block. lhe S rcm P s of b Y tes are: 

The byte counter is incremented at Step 430. Step 440 

tests to see whether the byte counter still points to a byte in ffc; = s$+ lcV2 »«m where 0 £ t s (|jq|/2) _ i 
the left half. If this test has a positive result, control transfers 

back to Step 420 to perform the inverse mixing operation on 60 
this next byte of the left half. If this test has a negative result, 
then this round of inverse key-dependent substitution, 

inverse permutation, and inverse mixing has completed, and imod ~ 

control transfers to Step 450. = S "< whcrc 0 * * (I|C " /2) " 

Step 450 decrements the iteration counter r. Control then 65 
transfers back to Step 310, to determine if the required 

number of rounds of deciphering are complete. newLOLC0newRce(newRC»8) 
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The first of these equations explains how the bytes RC, of (If the length of the entries in the inverse s-boxes is 

the right half (after the inverse key-dependent substitution increased to more than one byte, as discussed previously, 

and inverse permutation) are used, one at a time, to index then the boxes are indexed with groups of bytes at one time, 

into the inverse s-boxes. (If the length of the entries in the instead of one byte at a time.) Each byte is used as the index 

s-boxes is increased to more than one byte, as discussed 5 mto mve rse s-box zero or one, as before, depending on 

previously, then the boxes are indexed with groups of bytes whether this is an eve n-mimbered or odd-numbered byte, 

at one time, instead of one byte at a time.) Each byte is used ^ valuc located in the inverse s . box fe then uscd ^ the 

as the index into inverse s-box zero or one, as before, ncw va]ue for the b te LC , in the fcfl half The ^ of the 

I W ^ Cr \ an even-numbered or odd- substitution ^ rcfcrred to K LC 

numbered byte. The value located in the inverse s-box is rt ™ i t . i ■ i_ iL ■ i * i ir 

then used as the new value for the byte RC/ in the right half. 10 ™ V 0 ?? 1 ?f a ?°. n CXpl ff r h ° W thc nCW ngh \ ha * f 

The result of the right-half substitution is referred to as RC\ ° cwRC L of the bloc * * creatc L d \ r Four s i e P s ar f evolved. 

In the second equation, the new right half newRC of the Fmit ' the contents of the n S ht half are effectively rotated 8 

block is created. Four steps are involved. First, the contents blts to ^ n & { * Ncxt » an exclusive OR operation is 

of the left half are effectively rotated 8 bits to the right. performed, where the first operand is the left half resulting 

Second, an exclusive OR operation is performed, where the 15 frorn the first equation, and the second operand is the rotated 

first operand is the right half resulting from the first nght. Next, the right half is effectively rotated 16 bits to the 

equation, and the second operand is this rotated left half. lcft - Fina11 ^ a sccond exclusive OR operation is performed, 

Third, the left half is effectively rotated 16 bits to the left. where the first °P crand 15 the result of thc first exclusive OR, 

Finally, a second exclusive OR operation is performed, and the sccond °P crand 15 the rotated right half. As an 

where the first operand is the result of the first exclusive OR, 20 example, if the block is 8 bytes long, the bytes of the left half 

and the second operand is the rotated left half. are numbered 0, 1, 2, 3 and the bytes of the right half are 

The third of these four equations explains how the bytes numbered 4 5, 6, 7. The first rotation of the nght half (8 bits 

LC/ of the left half are used, one at a time, to index into the 10 lhe n 6 ht ) rearranges the bytes to 7, 4, 5, 6, which is then 

inverse s-boxes. Each byte is used as the index into inverse the °P erand of the &st exclusive OR (and the first 

s-box zero or one, as explained before depending on whether 25 operand * ^e bytes 0, 12, and 3 as a group). The second 

this is an even-numbered or odd-numbered byte. The value rotatlon of the n § ht half < 16 blts to the lefl > rearranges the 

located in the inverse s-box is then used as the new value for b y tes to 6 > 7 » 4 > 5 > whicn 1S theD the second operand of the 

the byte LC/ in the left half The result of the left-half second exclusive 0R - 

substitution is referred to as LC. In the third equation, the bytes RC/ of the right half (as 

In the fourth equation, the new left half newLC of the 30 11 existed after the mveise key-dependent substitution, 

block is created. Three steps are involved. First, an exclusive described previously with reference to the second alternative 

OR operation is performed, where the first operand is the left embodiment for decryption) are used, one at a time, to index 

half resulting from the third equation, and the second into the inverse s-boxes. Each byte is used as the index into 

operand is the newly-created right half. Next, the newly- s " box ™ T0 or one > as explained before, depending on 

created right half is effectively rotated 8 bits to the right. 35 whether tnis is an even-numbered or odd-numbered byte. 

Finally, a second exclusive OR operation is performed, ^ value located m the inverse s " box fe ^en used as the 

where the first operand is the result of the first exclusive OR, new value for the b V te RC <' * the ri S ht half • ^ result of the 

and the second operand is the rotated right half As an right-half substitution is referred to as RC. 

example, if the block is 8 bytes long, the bytes of the left half ^ f ° urth equation explains how the new left half 

are numbered 0, 1, 2, 3 and the bytes of the right half are 40 newLC of the block is created - ^ nree ste P s are involved, 

numbered 4, 5, 6, 7. The first operation uses bytes 0, 1, 2, and an exclusive OR operation is performed, where the 

3 as a group for the first operand, and bytes 4, 5, 6, and 7 as °P e ; and 15 the contents of the ri e hl half resultin g from 

a group for the second operand. The rotation of the right half • the lmrd equation, and the second operand is the right half 

rearranges the bytes to 7, 4, 5, 6, which is then the second resulting from the second equation. Second, the right half 

operand of the second exclusive OR. 45 resulting from the second equation is effectively rotated 8 

bits to the right. Third, a second exclusive OR operation is 

THIRD ALTERNATIVE EMBODIMENT performed, where the first operand is the result of the first 

In yet another alternative embodiment for decryption, the exclusive OR, and the second operand is the rotated right 

inverse of the permutation and mixing steps can be half. 

combined, where the combined operation operates on 50 As discussed in the third alternative embodiment for 

groups of bytes. This third alternative embodiment corre- encryption, groupings other than left-half and right-half are 

sponds to the third alternative embodiment for encryption. possible. The groupings used for decryption must corre- 

The combined operations are defined by the following spond to those used for encryption, 

mathematical equations: ^ SUB-KEY GENERATION 

LC- = s~ <{i+lQV7)mcxi2i where osi^ (l|C||/2) - 1 ^IG. ^ illustrates use of the present invention to generate 

1 sub -keys for each round, using the secret key as input to the 

sub-key generation process. As discussed previously, a dif- 

newR c-LC®(RC»8)©(RC«i6) ferent sub-key is used in each round of encryption, and 

60 re -used for the corresponding round of decryption. This 

RC _ 5 - ym «i2) whcre Q . ||C||/2 _ j sub-key generation may be performed immediately prior to 

~ RC ' m 1 the encryption steps when encrypting a particular input file, 

or the sub-keys may be generated well in advance of the 

encryption. In the latter case, the sub-keys would be stored 

newlX-RC©newRC©(newRC>>8) 6$ for latef ^ [n order {Q mimize (he ^ rcquired to encrypt 

In the first of these four equations, the bytes LQ of the left a data file. Regardless of when the sub-keys are generated, 

half are used, one at a time, to index into the inverse s-boxes. the following process is used. 
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At Step 500, the iteration counter r is initialized, to keep Steps S70 through 620 perform operations that are similar* 

track of how many rounds of sub -key generation processing to the operations used in the encryption process. The left half 

have been performed. Since a different sub-key is produced of the sub-key is mixed in Step 590, followed by mixing of 

during each round of this operation, the iteration counter the right half in Step 600. The sub-key bytes are permuted 

also indicates how many sub-keys have been generated. 5 in Step 620. Key-dependent substitution is done in Step 620. J 

At Step 510, the iteration counter, r, is compared to the At Ste P 570 > a generation counter v is initialized to 0. This 

number of rounds to be used for enciphering and decipher- counter 15 to the number of iterations of 

ing. While the iteration counter is less than this value, the performing the mixing, permutation, and key-dependent 

test at Step 510 will have a negative result, and processing substitution steps on the current sub-key. Step 580 tests to 

will continue to Step 520. If the two values are equal, the test io see whether this generation counter is equal to the number 

will have a positive result, indicating that all the sub-keys of rounds of processing to be used for encryption and 

have been generated, and the generation process ends. decryption. If this test has a positive result, another round of 

Step 520 initializes a byte counter, i, to zero. Step 530 ft™*? 0 ?™ 11 be Performed by continuing on to Step 590. 

r 4 , . , 4 * r\t_ t^i i 4L * -ii If this test has a negative result, then control transfers to Step 

compares this byte counter to the size oi the blocks that will ° r 

be used in encrypting and decrypting the data. While the 15 s $9Q ^ rf ^ ^ ^ q{ ^ 

byte counter is less than or equal to the number oi bytes in . , t - J c t . t . , 

V , , . i( _ x x 4 0i „ A , ... , sub-key, according to the following mathematical equation: 

the block, the test at Step 530 has a positive result, and " & 6 M 

processing continues to Step 540. When the test has a <; mod 2) 

negative result, processing continues at Step 560. ^ *? = ^0^> lcI/2 ^ (t . 11Jlod||CV2)+l|CI/2) 

Step 540 distributes any extra bytes of the input secret key whcrc Q £ . s 2 _ { 

among the sub-keys in a fair manner, when the size of the 

key is bigger than the size of the blocks used in encryption 

and decryption. This further increases the strength of the This left-half mixing of sub-key bytes is identical to the 

encryption, because it allows use of all the random numbers ^ left-half mixing performed on the input block, except that 

making up the input key, not just a portion of them. For inste ad of using the bytes of the block to index in to an s-box, 

example, if the key contains 24 bytes, and the blocks are 8 the bytes of the current sub-key (where the iteration counter 

bytes long, the 8-byte sub-keys are generated using bytes r identifies the current sub-key) are used. Each byte of this 

selected from all 24 bytes of the input key, not just the first sub -key is pointed to using the byte counter i. 

8 bytes. The following mathematical equation defines the 3Q step 600 mixes the bytes of the right half of the current 

process by which these extra bytes are distributed: sub-key, according to the following mathematical equation: 

tfr) _£</Hldl/2 mod 2) 

K^-Krf.w m«m ,+lia/2 < r iicv2 ffi ' c /- ) imoditqy2« JC (.>2-cd|iq^, 

Referring to Table 1 for an explanation of symbols, one 35 where o s / z (|[q|/2)- l 
skilled in the art will understand that a byte of the current 

sub-key is being generated from one of the bytes from the . . . . t 9 

input key. The byte counter i points to the current byte of the . P» "S ht ; h . alf m,x ' n S of sub-key bytes is identical to the 

current sub-key, and the iteration counter r identifies the nght-half mixing performed on the input block, except that 

current sub-key. The particular byte to be used from the 40 instead of using the bytes of the block to index into an s-box, 

input key is determined by the expression TL+i mod ||K||». of ' he current «*-«»y (where the iteration counter 

As an example, if the block C is 8 bytes long, the input key r ldentlfies lhe current sub " ke y) u are ^ Each b y' e of this 

K is 24 bytes long, the total number of rounds of processing sub " ke y £ P° t0 ^ ' he byte counter i. 

is 11, the iteration counter r is 0, and the byte counter i is 0, Sle P 610 Pf rmu » es ! he b ^ of .«•? currem sub - ke * 1 

the expression is evaluated as follows: 45 Mcording to the following mathematical equation: J 

rMI-IIClll T24-8! r i6! _ . JS/ ri « ^ BC1/2 where 0 s / s (||q| /2) - 1 



L = 



R-l I I 10 
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Again, the process used is identical to that used when 
permuting the input block, where the bytes from the left half 

rUi modj|K||-0+o-0 0 f me current sub-key are each swapped with the corre- 

T ... i *u « . u . f.u * *i • *u u * sponding byte from the right half of the current sub -key. 

In this example, the first byte of the input key is the byte ^_ J ' & , . J 

> u u « j ■ . *u u.,.» /i™..,™ : n\ «f Step 620 performs a key-dependent substitution on each 

to be substituted into the first byte (because i«0) of the first , t *\ . r ^ , / r 4 . _ „ 

sub-key (because r«0). As another example, if the iteration 55 ^ of ^ current sub-key, accordmg to the following 

counter r is 3, the byte counter i is 2, and the other variables mathematical equation: 
are unchanged, the expression (rLn-i mod ||K||) becomes ((3 

* 2)+(2 mod 24))=(6+2)-8, so that the ninth byte (the byte ti r) = e *« whcrc 0 * 1 * m] " iJ 
numbered 8 and denoted by K 8 ) of the input key is substi- 
tuted into the third byte (because i=2) of the fourth sub -key 60 

(because r=3). This substitution is similar, but not identical, to that 

Step 550 increments the byte counter i, and control then performed on the input block. The value to be substituted for 

transfers back to Step 530. the with byte of the current ("rth") sub-key is retrieved from 

Control transfers to Step 560 when all the bytes of the one of the s-boxes, where s-box zero is used if i is even, and 

current sub-key have been generated. Step 560 stores the 65 s-box one is used if i is odd. The value used to index into the 

current sub-key into a temporary variable X, for use later in s-box is computed by performing an exclusive OR using two 

the generation operation. bytes of the current sub -key. The byte used for the first 
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operand is located by effectively rotating the current sub-key 
one byte to the right, then using the byte from this rotated 
sub -key that corresponds to the byte counter i. The second 
operand is the byte of the current sub -key pointed to by the 
byte counter (without having rotated the sub-key). For 5 
example, if the sub-keys and blocks are 8 bytes long, and the 
byte counter is 0, the first operand will be the byte numbered 
"i-1 mod ||C||", which in this case evaluates to ((0-1) mod 
8), or 7. This is the eighth byte of the current sub-key. The 
second operand will be the first byte, the byte numbered 0, 10 
of the same sub-key. 

At Step 630, the generation counter v is incremented. 
Control then transfers back to Step 580. 

Control reaches Step 640 when all the iterations of 15 
mixing, permutation, and key-dependent substitution have 
completed for this sub-key. At this step, the current sub-key 
is exclusive OR'd with the temporary variable X in which a 
value was saved at Step 560. The result of the exclusive OR 
is substituted as the new value of the current sub-key. 20 

At Step 650, the byte counter i is again initialized to 0. 
Step 660 compares the byte counter value to the length of the 
blocks. If the test at Step 660 has a positive result, control 
transfers to Step 670; otherwise, control transfers to Step ^ 
690. 

Step 670 takes a byte from the newly -generated sub-key, 
and substitutes it back into the original input key, which 
results in further randomization of the sub-keys being gen- 
erated. The following mathematical equation defines the 30 
process by which this is done: 

The byte counter i points to the current byte of the current 35 
sub -key, and the iteration counter r identifies the current 
sub -key. This byte from the sub-key will be substituted into 
the input key. The position at which this byte will be 
substituted is determined by the expression "rL+i mod \\K\\". 
Using the same example used above for inserting the byte at 
Step 540, where the block size C is 8 bytes, the input key K 
is 24 bytes long, the total number of rounds of processing is 
11, the iteration counter r is 0, and the byte counter i is 0, the 
result is that the first byte of the first sub -key is substituted 
into the first byte of the input key. If the iteration counter r 
is 3, the byte counter i is 2, and the other variables are 
unchanged, the expression becomes ((3 * 2)+(2 mod 24))= 
(6+2)=8, so that the third byte (because i«*2) of the fourth 
sub -key (because r=3 is substituted for the ninth byte (the 
byte numbered 8) of the input key. 50 

At Step 680, the byte counter i is incremented. Control 
then transfers back to Step 660. 

Control reaches Step 690 when a complete round of 
sub -key generation (consisting of generating the sub -key 55 
bytes, encrypting the bytes, and substituting the encrypted 
bytes back into the input key) has completed. At Step 690, 
the iteration counter r is incremented. Control then transfers 
back to Step 510. 

While the preferred embodiments of the present invention 60 
have been described, additional variations and modifications 
in those embodiments may occur to those skilled in the art 
once they learn of the basic inventive concepts. Therefore, 
it is intended that the appended claims shall be construed to 
include both the preferred embodiments and all such varia- 65 
lions and modifications as fall within the spirit and scope of 
the invention. 
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SYMBOL DEFINITION 



C The plaintext (input data) or ciphertext (encrypted) block. 

||C|| The length of C in bytes, where ||C|| is an even integer and 

liqi * 8. 

Q Byte I of C, where 0 g i ^ ||q| _ i. 

R An integer number denoting the total number of rounds of the 

encryption algorithm, where R ^ f(]|C)| + 16)/5]. The 
notation fx] denotes the smallest integer greater than or equal 
to x. For example, if x •» 3.2, then fx] = 4. 

K The symmetric (secret) encryption/decryption input key. 

|[K|| The length of K in bytes. |K|| is an integer in the following 

interval: ||q[ * ||K|| * ||C|| x R. 

K,- Byte j of key K, where 0 £ j ^ |]KJ| - 1. 

K <r> The rth sub-key derived from K, where 0SrSB-l. Each 

sub-key is of length ||C|| bytes. 

Ki* 1 * Byte i of sub-key K^, where 0 £ i ^ |[C|| - 1. 

L An integer defined as L - f(||K|| - ||qQ/(R - 1)1- When the 

input key is bigger than the block size, L equally divides the 
additional input key bytes among the sub-keys. 

Sj <n> The jth entry of the nth s-box, where 0 ^ n ^ 1, and 

0 ^ j % 255. Each s-box contains 256 non-repeating 8-bit 
values which are indexed from 0 to 255, The jth entry of the 
inverse of the nth s-box is denoted by S J -*~ en> . 

A *» B "«*" denotes swapping of A with B. 

A © B denotes exclusive ORing A and B. 



What is claimed is: 

1. In a computing environment, computer-readable code 
for providing a byte-oriented symmetric key block cipher 
which supports a variable length symmetric input key, a 
variable length block, and a variable number of rounds, said 
computer-readable code embodied on a computer-readable 
medium and comprising: 
computer-readable program code means for determining a 
number of rounds of cipher processing to use as said 
variable number of rounds, a key length of said variable 
length symmetric input key, and a block length of said 
variable length block; 
computer-readable program code means for generating a 
plurality of sub-keys using said symmetric input key as 
an input value, wherein each of said generated sub-keys 
is equal in length to said block length and where a 
distinct one of said sub-keys is generated for each of 
said number of rounds; 
computer-readable program code means for obtaining an 
input data block to be encrypted, wherein said input 
data block comprises a plurality of input data bytes, 
said plurality being equal in number to said block 
length; and 

computer-readable program code means for iteratively 
performing a set of round functions a number of times 
equal to said number of rounds in order to encrypt said 
input data block, wherein said set of round functions 
comprises a mixing function, a permuting function, and 
a key-dependent substitution function, and wherein 
said computer-readable program code means for itera- 
tively performing further comprises: 
computer-readable program code means for performing 
said mixing function by mixing each of said input 
data bytes using a first XOR operation and a second 
XOR operation, wherein said first and second XOR 
operations are different, followed by a first 
substitution-box (S-box) lookup operation, thereby 
creating a plurality of mixed bytes; 
computer-readable program code means for performing 
said permuting function by swapping each of said 
mixed bytes, thereby creating a plurality of permuted 
bytes; 
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computer-readable program code means for performing 
said key-dependent substitution function by substi- 
tuting a byte value for each of said permuted bytes, 
wherein said byte value is determined by performing 
a third XOR operation followed by a second S-box s 
lookup operation, thereby creating a plurality of 
substituted bytes; and 

computer-readable program code means for treating 
said plurality of substituted bytes as said plurality of 
input data bytes for a subsequent iteration of said 10 
computer-readable program code means for itera- 
tively performing, provided said number of times has 
not been reached. 

2. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 15 
performing said mixing function further comprises: 

computer-readable program code means for dividing said 
plurality of input data bytes into a left input half and a 
right input half; 

computer-readable program code means for performing a 20 
first mixing operation on said left input half and a 
second mixing operation on said right input half, 
wherein said second mixing operation uses a different 
selection of operands for said first and second XOR 
operations than does said first mixing operation; 

computer-readable program code means for using each 
byte of a result of said second XOR operation of said 
first mixing operation as a lookup index for said first 
S-box lookup operation to retrieve bytes of a new left 
half; and 

computer-readable pro=am code means for using each 
byte of an output of said second XOR operation of said 
second mixing operation as said lookup index for said 
first S-box lookup operation to retrieve bytes of a new 35 
right half. 

3. The computer-readable code according to claim 2, 
wherein: 

said computer-readable program code means for perform- 
ing said first mixing operation further comprises: 40 
computer-readable program code means for using an 
identically-numbered byte from said left input half 
and said right input half as operands of said first 
XOR operation; and 
computer-readable program code means for using a 45 
result of said first XOR operation and a byte from 
said right input half that has been effectively rotated 
right one byte as operands of said second XOR 
operation; and 

said computer-readable program code means for perform- 50 
ing said second mixing operation further comprises: 
computer-readable program code means for using a 
selected byte from said right input half and a 
previously-mixed byte from said new left half that 
has been effectively rotated right one byte as oper- 55 
ands of said first XOR operation; and 
computer-readable program code means for using an 
output of said first XOR operation and a different 
previously-mixed byte from said new left half that 
has been effectively rotated left two bytes as oper- 60 
ands of said second XOR operation. 

4. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 
performing said mixing function and said computer-readable 
program code means for performing said key-dependent 65 
substitution function perform said first S-box lookup opera- 
tion and said second S-box lookup operational, respectively, 



by accessing a selected one of two distinct S -boxes using a 
one -byte index, each of said S -boxes having 256 distinct 
entries, each of said entries being a one -byte value. 

5. The computer-readable code according to claim 1, 
wherein one or more of said computer-readable program 
code means is embodied in a hardware chip. 

6. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 
performing said permuting function further comprises: 

computer- readable program code means for dividing said 
plurality of mixed bytes into a left mixed half and a 
right mixed half; and 

computer-readable program code means for swapping 
said left mixed half with said right mixed half. 

7. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 
performing said key-dependent substitution function further 
comprises: 

computer-readable program code means for using a sub- 
key byte from a selected one of said generated sub-keys 
which is uniquely associated with said round as an 
operand of said third XOR operation, along with said 
each permuted byte; and 

computer-readable program code means for performing 
said second S-box lookup operation using each byte of 
a result of said third XOR operation as an index. 

8. The computer-readable code according to claim 1, 
wherein particular values of one or more of said number of 
rounds, said key length, and said block length are deter- 
mined in advance in order to optimize said computer- 
readable code, and wherein said computer-readable program 
code means for determining therefore operates as if said one 
or more particular values are fixed. 

9. The computer-readable code according to claim 1, 
further comprising: 

computer-readable program code means for decrypting 
said encrypted data block, resulting in restoration of 
said plurality of input data bytes, by performing a set of 
inverse round functions said number of times equal to 
said number of rounds, wherein said set of inverse 
round functions comprises an inverse key-dependent 
substitution function which is inverse to said key- 
dependent substitution function, an inverse permuting 
function which is inverse to said permuting function, 
and an inverse mixing function which is inverse to said 
mixing function. 

10. A system for providing a byte-oriented symmetric key 
block cipher which supports a variable length symmetric 
input key, a variable length block, and a variable number of 
rounds, comprising: 

means for determining a number of rounds of cipher 
processing to use as said variable number of rounds, a 
key length of said variable length symmetric input key, 
and a block length of said variable length block; 

means for generating a plurality of sub-keys using said 
symmetric input key as an input value, wherein each of 
said generated sub-keys is equal in length to said block 
length and where a distinct one of said sub-keys is 
generated for each of said number of rounds; 

means for obtaining an input data block to be encrypted, 
wherein said input data block comprises a plurality of 
input data bytes, said plurality being equal in number to 
said block length; and 

means for iteratively performing a set of round functions 
a number of times equal to said number of rounds in 
order to encrypt said input data block, wherein said set 
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of round functions comprises a mixing function, a 
permuting function, and a key-dependent substitution 
function, and wherein said means for iteratively per- 
forming further comprises: 

means for performing said mixing function by mixing 5 
each of said input data bytes using a first XOR 
operation and a second XOR operation, wherein said 
first and second XOR operations are different, fol- 
lowed by a first substitution-box (S-box) Lookup 
operation, thereby creating a plurality of mixed 10 
bytes; 

means for performing said permuting function by 
swapping each of said mixed bytes, thereby creating 
a plurality of permuted bytes; 

means for performing said key-dependent substitution 15 
function by substituting a byte value for each of said 
permuted bytes, wherein said byte value is deter- 
mined by performing a third XOR operation fol- 
lowed by a second S-box lookup operation, thereby 
creating a plurality of substituted bytes; and 20 

means for treating said plurality of substituted bytes as 
said plurality of input data bytes for a subsequent 
iteration of said means for iteratively performing, 
provided said number of times has not been reached. 

11. The system according to claim 10, wherein said means 25 
for performing said mixing function further comprises: 

means for dividing said plurality of input data bytes into 
a left input half and a right input half; 

means for performing a first mixing operation on said left 
input half and a second mix operation said if right half, 
wherein said second mixing operation uses a different 
selection of operands for said first and said second 
XOR operations than does said first mixing operation; 

means for using each byte of a result of said second XOR 35 
operation of said first mixing operation as a lookup 
index for said first S-box lookup operation to retrieve 
bytes of a new left half; and 

means for using each byte of an output of said second 
XOR operation of said second mixing operation as said ^ 
lookup index for said first S-box lookup operation to 
retrieve bytes of a new right half. 

12. The system according to claim 11, wherein: 

said means for performing said first mixing operation 
further comprises: 45 
means for using an identically-numbered byte from 
said left input half and said right input half as 
operands of said first XOR operation; and 
means for using a result of said first XOR operation and 
a byte from said right input half that has been 50 
effectively rotated right one byte as operands of said 
second XOR operation; and 
said means for performing said second mixing operation 
further comprises: 

means for using a selected byte from said right input 55 
half and a previously- mixed byte from said new left 
half that has been effectively rotated right one byte as 
operands of said first XOR operation; and 

means for using an output of said first XOR operation 
and a different previously-mixed byte from said new eo 
left half that has been effectively rotated left two 
bytes as operands of said second XOR operation. 

13. The system according to claim 10, wherein said means 
for performing said mixing function and said means for 
performing said key-dependent substitution function per- 65 
form said first S-box lookup operation and said second 
S-box lookup operation, respectively, by accessing a 



selected one of two distinct S -boxes using a one-byte index, 
each of said S-boxes having 256 distinct entries, each of said 
entries being a one-byte value. 

14. The system according to claim 10, wherein one or 
more of said means is embodied in a hardware chip. 

15. The system according to claim 10, wherein said means 
for performing said permuting function further comprises: 

means for dividing said plurality of mixed bytes into a left 

mixed half and a right mixed half; and 
means for swapping said left mixed half with said right 

mixed half. 

16. The system according to claim 10, wherein said means 
for performing said key-dependent substitution function 
further comprises: 

means for using a sub-key byte from a selected one of said 
generated sub-keys which is uniquely associated with 
said round as an operand of said third XOR operation, 
along with said each permuted byte; and 

means for performing said second S-box lookup operation 
using each byte of a result of said third XOR operation 
as an index. 

17. The system according to claim 10, wherein particular 
values of one or more of said number of rounds, said key 
length, and said block length are determined in advance in 
order to optimize said system, and wherein said means for 
determining therefore operates as if said one or more par- 
ticular values are fixed. 

18. The system according to claim 10, further comprising: 
means for decrypting said encrypted data block, resulting 

in restoration of said plurality of input data bytes, by 
performing a set of inverse round functions said num- 
ber of times equal to said number of rounds, wherein 
said set of inverse round functions comprises an inverse 
key-dependent substitution function which is inverse to 
said key-dependent substitution function, an inverse 
permuting function which is inverse to said permuting 
function, and an inverse mixing function which is 
inverse to said mixing function. 

19. A method of providing a byte-oriented symmetric key 
block cipher which supports a variable length symmetric 
input key, a variable length block, and a variable number of 
rounds, comprising the steps of: 

determining a number of rounds of cipher processing to 
use as said variable number of rounds, a key length of 
said variable length symmetric input key, and a block 
length of said variable length block; 

generating a plurality of sub-keys using said symmetric 
input key as an input value, wherein each of said 
generated sub-keys is equal in length to said block 
length and where a distinct one of said sub-keys is 
generated for each of said number of rounds; 

obtaining an input data block to be encrypted, wherein 
said input data block comprises a plurality of input data 
bytes, said plurality being equal in number to said block 
length; and 

iteratively performing a set of round functions a number 
of times equal to said number of rounds in order to 
encrypt said input data block, wherein said set of round 
functions comprises a mixing function, a permuting 
function, and a key-dependent substitution function, 
and wherein said iteratively performing step further 
comprises the steps of: 

performing said mixing function by mixing each of said 
input data bytes using a first XOR operation and a 
second XOR operation, wherein said first and second 
XOR operations are different, followed by a first 
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substitution-box (S-box) lookup operation, thereby 
creating a plurality of mixed bytes; 

performing said permuting function by swapping each 
of said mixed bytes, thereby creating a plurality of 
permuted bytes, 

performing said key-dependent substitution function by 
substituting a byte value for each of said permuted 
bytes, wherein said byte value is determined by 
performing a third XOR operation followed by a 
second S-box lookup operation, thereby creating a 
plurality of substituted bytes; and 

treating said plurality of substituted bytes as said plu- 
rality of input data bytes for a subsequent iteration of 
said iterative ly performing step, provided said num- 
ber of times has not been reached. 

20. The method according to claim 19, wherein said step 
of performing said mixing function further comprises the 
steps of: 

dividing said plurality of input data bytes into a left input 
half and a right input half; 

performing a first mixing operation on said left input half 
and a second mixing operation on said right half, 
wherein said second mixing operation uses a different 
selection of operands for said first and second XOR 
operations than does said first mixing operation; 

using each byte of a result of said second XOR operation 
of said first mixing operation as a lookup index for said 
first S-box lookup operation to retrieve bytes of a new 
left half; and 

using each byte of an output of said second XOR opera- 
tion of said second mixing operation as said lookup 
index for said first S-box lookup operation to retrieve 
bytes of a new right half. 

21. The method according to claim 20, wherein: 

said step of performing said first mixing operation further 
comprises the steps of: 

using an identically-numbered byte from said left input 
half and said right input half as operands of said first 
XOR operation; and 

using a result of said first XOR operation and a byte 
from said right input half that has been effectively 
rotated right one byte as operands of said second 
XOR operation; and 
said step of performing said second mixing operation 

further comprises the steps of: 

using a selected byte from said right input half and a 
previously-mixed byte from said new left half that 
has been effectively rotated right one byte as oper- 
ands of said first XOR operation; and 



>2,129 Bl 

30 

using an output of said first XOR operation and a 
different previously-mixed byte from said new left 
half that has been effectively rotated left two bytes as 
operands of said second XOR operation. 
5 22. The method according to claim 19, wherein said step 
of performing said mixing function and said step of per- 
forming said key -dependent substitution function perform 
said first S-box lookup operation and said second S-box 
lookup operation, respectively, by accessing a selected one 
10 of two distinct S -boxes using a one -byte index, each of said 
S-boxes having 256 distinct entries, each of said entries 
being a one-byte value. 

23. The method according to claim 19, wherein one or 
more of said steps is embodied in a hardware chip. 
15 24. The method according to claim 19, wherein said step 
of performing said permuting function further comprises the 
steps of 

dividing said plurality of mixed bytes into a left mixed 
half and a right mixed half; and 
20 swapping said left mixed half with said right mixed half, 

25. The method according to claim 19, wherein said step 
of performing said key-dependent substitution function fur- 
ther comprises the steps of: 

using a sub -key byte from a selected one of said generated 
25 sub -keys which is uniquely associated with said round 
as an-operand of said third XOR operation, along with 
said each permuted byte; and 
performing said second S-box lookup operation using 
each byte of a result of said third XOR operation as an 
30 index. 

26. The method according to claims 19, wherein particu- 
lar values of one or more of said number of rounds, said key 
length, and said block length are determined in advance in 
order to optimize said method, and wherein said step of 

35 determining therefore operates as if said one or more par- 
ticular values are fixed. 

27. The method according to claim 19, further comprising 
the step of: 

decrypting said encrypted data block, resulting in resto- 
40 ration of said plurality of input data bytes, by perform- 
ing a set of inverse round functions said number of 
times equal to said number of rounds, wherein said set 
of inverse round functions comprises an inverse key- 
dependent substitution function which is inverse to said 
45 key-dependent substitution function, an inverse per- 
muting function which is inverse to said permuting 
function, and an inverse mixing function which to said 
mixing function. 

***** 
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